rubycas-server 0.7.1.1 → 1.0

data/public/themes/simple/theme.css

@@ -0,0 +1,28 @@
+body {
+  background-image: url(bg.png);
+}
+
+#headline-container {
+  margin-bottom: 5px;
+}
+
+#login-box {
+  margin: 0 auto;
+  width: 450px;
+  top: 110px;
+  position: relative;
+}
+
+#login-form {
+  background-color: #fff;
+  border: 1px #aaa solid;
+}
+
+#logo-container {
+  vertical-align: middle;
+}
+
+#logo {
+    width: 128px;
+    height: 128px;
+}

data/public/themes/urbacon/theme.css

@@ -0,0 +1,33 @@
+body {
+  background-image: url(bg.png);
+}
+
+label {
+  color: #5c6156;
+}
+
+#login-form {
+  background-repeat: no-repeat;
+  background-image: url(login_box_bg.png);
+  height: 175px;
+  width: 210px;
+  padding: 20px;
+}
+
+#logo-container {
+  vertical-align: top;
+}
+
+#logo {
+    width: 115px;
+    height: 171px;
+}
+
+#infoline {
+  color: #5c6156;
+  font-size: 8px;
+}
+
+#headline-container {
+  margin-right: 15px;
+}

data/resources/init.d.sh

@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-# Copyright (c) 2007 Urbacon Ltd.
+# Copyright (c) 2008 Urbacon Ltd.
 #
 # System startup script for the RubyCAS-Server
 #

data/rubycas-server.gemspec

@@ -0,0 +1,57 @@
+
+$gemspec = Gem::Specification.new do |s|
+  s.name     = 'rubycas-server'
+  s.version  = '1.0'
+  s.authors  = ["Matt Zukowski"]
+  s.email    = ["matt@zukowski.ca"]
+  s.homepage = 'http://code.google.com/p/rubycas-server/'
+  s.platform = Gem::Platform::RUBY
+  s.summary  = %q{Provides single sign-on authentication for web applications using the CAS protocol.}
+  s.description  = %q{Provides single sign-on authentication for web applications using the CAS protocol.}
+
+  s.files  = [
+    "CHANGELOG", "LICENSE", "README.md", "Rakefile", "setup.rb",
+    "bin/*", "db/*", "lib/**/*.rb", "public/**/*", "po/**/*", "mo/**/*", "resources/*.*",
+    "tasks/**/*.rake", "vendor/**/*", "script/*", "lib/**/*.erb", "lib/**/*.builder",
+    "Gemfile", "rubycas-server.gemspec"
+  ].map{|p| Dir[p]}.flatten
+
+  s.test_files = `git ls-files -- spec`.split("\n")
+
+  s.executables = ["rubycas-server"]
+  s.bindir = "bin"
+  s.require_path = "lib"
+
+  s.extra_rdoc_files = ["CHANGELOG", "LICENSE", "README.md"]
+
+  s.has_rdoc = true
+  s.post_install_message = %q{
+For more information on RubyCAS-Server, see http://code.google.com/p/rubycas-server
+
+If you plan on using RubyCAS-Server with languages other than English, please cd into the
+RubyCAS-Server installation directory (where the gem is installed) and type `rake localization:mo`
+to build the LOCALE_LC files.
+
+}
+
+  s.add_dependency("activerecord", "~> 2.3.6")
+  s.add_dependency("activesupport", "~> 2.3.6")
+  s.add_dependency("sinatra", "~> 1.0")
+  s.add_dependency("gettext", "~> 2.1.0")
+  s.add_dependency("crypt-isaac", "~> 0.9.1")
+
+  s.add_development_dependency("rack-test")
+  s.add_development_dependency("capybara")
+  s.add_development_dependency("rspec")
+  s.add_development_dependency("rspec-core")
+  s.add_development_dependency("sqlite3", "~> 1.3.1")
+  
+  # for authenticator specs
+  s.add_development_dependency("net-ldap", "~> 0.1.1")
+  s.add_development_dependency("activeresource", "~> 2.3.6")
+
+  s.rdoc_options = [
+    '--quiet', '--title', 'RubyCAS-Server Documentation', '--opname',
+    'index.html', '--line-numbers', '--main', 'README.md', '--inline-source'
+  ]
+end

data/setup.rb

@@ -659,7 +659,7 @@ module FileOperations
   def ruby(*args)
     command config('rubyprog'), *args
   end
-  
+
   def make(task = nil)
     command(*[config('makeprog'), task].compact)
   end
@@ -722,7 +722,7 @@ module HookScriptAPI
   def srcdirectory?(path)
     File.dir?(srcfile(path))
   end
-  
+
   def srcfile?(path)
     File.file?(srcfile(path))
   end
@@ -826,7 +826,7 @@ class ToplevelInstaller
       __send__ "exec_#{task}"
     end
   end
-  
+
   def run_metaconfigs
     @config.load_script "#{@ardir}/metaconfig"
   end
@@ -1404,7 +1404,7 @@ class Installer
   end
 
   # picked up many entries from cvs-1.11.1/src/ignore.c
-  JUNK_FILES = %w( 
+  JUNK_FILES = %w(
     core RCSLOG tags TAGS .make.state
     .nse_depinfo #* .#* cvslog.* ,* .del-* *.olb
     *~ *.old *.bak *.BAK *.orig *.rej _$* *$

data/spec/alt_config.yml

@@ -0,0 +1,50 @@
+server: webrick
+port: 6543
+#ssl_cert: test.pem
+uri_path: /test
+#bind_address: 0.0.0.0
+
+# database:
+#   adapter: mysql
+#   database: casserver
+#   username: root
+#   password: 
+#   host: localhost
+#   reconnect: true
+database:
+ adapter: sqlite3
+ database: spec/casserver_spec.db
+ 
+disable_auto_migrations: true
+
+quiet: true
+
+authenticator:
+  class: CASServer::Authenticators::Test
+  password: spec_password
+
+theme: simple
+
+organization: "RSPEC-TEST"
+
+infoline: "This is an rspec test."
+
+#custom_views: /path/to/custom/views
+
+default_locale: en
+
+log:
+  file: casserver_spec.log
+  level: DEBUG
+
+#db_log:
+#  file: casserver_spec_db.log
+
+enable_single_sign_out: true
+
+#maximum_unused_login_ticket_lifetime: 300
+#maximum_unused_service_ticket_lifetime: 300
+
+#maximum_session_lifetime: 172800
+
+#downcase_username: true

data/spec/authenticators/active_resource_spec.rb

@@ -0,0 +1,109 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/../spec_helper'
+
+require 'casserver/authenticators/active_resource'
+
+describe CASServer::Authenticators::Helpers::Identity do
+
+  it { should be_an ActiveResource::Base }
+
+  it "class should respond to :authenticate" do
+    subject.class.should respond_to :authenticate
+  end
+
+  it "class should have a method_name accessor" do
+    CASServer::Authenticators::Helpers::Identity.method_name.should == :authenticate
+  end
+
+  it "class should have a method_name accessor" do
+    CASServer::Authenticators::Helpers::Identity.method_type.should == :post
+  end
+
+  it "class method_type accessor should validate type" do
+    expect {
+      CASServer::Authenticators::Helpers::Identity.method_type = :foo
+    }.to raise_error(ArgumentError)
+  end
+
+end
+
+describe CASServer::Authenticators::ActiveResource do
+
+  describe "#setup" do
+
+    it "should configure the identity object" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:user=).with('httpuser').once
+      CASServer::Authenticators::ActiveResource.setup :site => 'http://api.example.org', :user => 'httpuser'
+    end
+
+    it "should configure the method_type" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:method_type=).with('get').once
+      CASServer::Authenticators::ActiveResource.setup :site => 'http://api.example.org', :method_type => 'get'
+    end
+
+    it "should raise if site option is missing" do
+      expect {
+        CASServer::Authenticators::ActiveResource.setup({}).should
+      }.to raise_error(CASServer::AuthenticatorError, /site option/)
+    end
+  end
+
+  describe "#validate" do
+
+    let(:credentials) { {:username => 'validusername',
+                         :password => 'validpassword',
+                         :service => 'test.service'} }
+
+    let(:auth) { CASServer::Authenticators::ActiveResource.new }
+
+    def mock_authenticate identity = nil
+      identity = CASServer::Authenticators::Helpers::Identity.new if identity.nil?
+      CASServer::Authenticators::Helpers::Identity.stub!(:authenticate).and_return(identity)
+    end
+
+    def sample_identity attrs = {}
+      identity = CASServer::Authenticators::Helpers::Identity.new
+      attrs.each { |k,v| identity.send "#{k}=", v }
+      identity
+    end
+
+    it "should call Identity#autenticate with the given params" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:authenticate).with(credentials).once
+      auth.validate(credentials)
+    end
+
+    it "should return identity object attributes as extra attributes" do
+      auth.configure({}.with_indifferent_access)
+      identity = sample_identity({:email => 'foo@example.org'})
+      mock_authenticate identity
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == identity.attributes
+    end
+
+    it "should return false when http raises" do
+      CASServer::Authenticators::Helpers::Identity.stub!(:authenticate).and_raise(ActiveResource::ForbiddenAccess.new({}))
+      auth.validate(credentials).should be_false
+    end
+
+    it "should apply extra_attribute filter" do
+      auth.configure({ :extra_attributes => 'age'}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :age => 28 })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "age" => "28" }
+    end
+
+    it "should only extract not filtered attributes" do
+      auth.configure({ :filter_attributes => 'age'}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :age => 28 })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "email" => 'foo@example.org' }
+    end
+
+    it "should filter password if filter attributes is not given" do
+      auth.configure({}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :password => 'secret' })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "email" => 'foo@example.org' }
+    end
+  end
+end

data/spec/authenticators/ldap_spec.rb

@@ -0,0 +1,53 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/../spec_helper'
+
+require 'casserver/authenticators/ldap'
+
+describe CASServer::Authenticators::LDAP do
+  before do
+    @ldap_entry = mock(Net::LDAP::Entry.new)
+    @ldap_entry.stub!(:[]).and_return("Test")
+    
+    @ldap = mock(Net::LDAP)
+    @ldap.stub!(:host=)
+    @ldap.stub!(:port=)
+    @ldap.stub!(:encryption)
+    @ldap.stub!(:bind_as).and_return(true)
+    @ldap.stub!(:authenticate).and_return(true)
+    @ldap.stub!(:search).and_return([@ldap_entry])
+    
+    Net::LDAP.stub!(:new).and_return(@ldap)
+  end
+  
+  describe '#validate' do
+
+    it 'validate with preauthentication and with extra attributes' do
+      auth = CASServer::Authenticators::LDAP.new
+
+      auth_config = HashWithIndifferentAccess.new(
+        :ldap => {
+          :host => "ad.example.net",
+          :port => 389,
+          :base => "dc=example,dc=net",
+          :filter => "(objectClass=person)",
+          :auth_user => "authenticator",
+          :auth_password => "itsasecret"
+        },
+        :extra_attributes => [:full_name, :address]
+      )
+      
+      auth.configure(auth_config.merge('auth_index' => 0))
+      auth.validate(
+        :username => 'validusername',
+        :password => 'validpassword',
+        :service =>  'test.service',
+        :request => {}
+      ).should == true
+      
+      auth.extra_attributes.should == {:full_name => 'Test', :address => 'Test'}
+    end
+    
+  end
+end
+
+

data/spec/casserver_spec.rb

@@ -0,0 +1,149 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/spec_helper'
+
+$LOG = Logger.new(File.basename(__FILE__).gsub('.rb','.log'))
+
+RSpec.configure do |config|
+  config.include Capybara
+end
+
+VALID_USERNAME = 'spec_user'
+VALID_PASSWORD = 'spec_password'
+
+ATTACK_USERNAME = '%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&password=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&lt=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&service=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E'
+INVALID_PASSWORD = 'invalid_password'
+
+describe 'CASServer' do
+
+  before do
+    @target_service = 'http://my.app.test'
+  end
+
+  describe "/login" do
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+    end
+
+    it "logs in successfully with valid username and password without a target service" do
+      visit "/login"
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("You have successfully logged in")
+    end
+
+    it "fails to log in with invalid password" do
+      visit "/login"
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => INVALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("Incorrect username or password")
+    end
+
+    it "logs in successfully with valid username and password and redirects to target service" do
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+
+      click_button 'login-submit'
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?\?ticket=ST\-[1-9rA-Z]+/
+    end
+
+    it "preserves target service after invalid login" do
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => INVALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("Incorrect username or password")
+      page.should have_xpath('//input[@id="service"]', :value => @target_service)
+    end
+
+    it "uses appropriate localization when 'lang' prameter is given (make sure you've run `rake localization:mo` first!!)" do
+      visit "/login?lang=pl"
+      page.should have_content("Użytkownik")
+
+      visit "/login?lang=pt_BR"
+      page.should have_content("Usuário")
+
+      visit "/login?lang=en"
+      page.should have_content("Username")
+    end
+
+    it "is not vunerable to Cross Site Scripting" do
+      visit '/login?service=%22%2F%3E%3cscript%3ealert%2832%29%3c%2fscript%3e'
+      page.should_not have_content("alert(32)")
+      page.should_not have_xpath("//script")
+      #page.should have_xpath("<script>alert(32)</script>")
+    end
+
+  end # describe '/login'
+
+
+  describe '/logout' do
+
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+    end
+
+    it "logs out successfully" do
+      visit "/logout"
+
+      page.should have_content("You have successfully logged out")
+    end
+
+    it "logs out successfully and redirects to target service" do
+      visit "/logout?gateway=true&service="+CGI.escape(@target_service)
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?/
+    end
+
+  end # describe '/logout'
+
+  describe 'Configuration' do
+    it "uri_path value changes prefix of routes" do
+      load_server(File.dirname(__FILE__) + "/alt_config.yml")
+      @target_service = 'http://my.app.test'
+
+      visit "/test/login"
+      page.status_code.should_not == 404
+
+      visit "/test/logout"
+      page.status_code.should_not == 404
+    end
+  end
+
+  describe "proxyValidate" do
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+
+      click_button 'login-submit'
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?\?ticket=ST\-[1-9rA-Z]+/
+      @ticket = page.current_url.match(/ticket=(.*)$/)[1]
+    end
+
+    it "should have extra attributes in proper format" do
+      visit "/serviceValidate?service=#{CGI.escape(@target_service)}&ticket=#{@ticket}"
+
+      encoded_utf_string = "&#1070;&#1090;&#1092;" # actual string is "Ютф"
+      page.body.should match("<test_utf_string>#{encoded_utf_string}</test_utf_string>")
+      page.body.should match("<test_numeric>123.45</test_numeric>")
+      page.body.should match("<test_utf_string>&#1070;&#1090;&#1092;</test_utf_string>")
+    end
+  end
+end